Virtual CISO – Running a Business. Thinking Differently about Security!
Virtual CISO – Running a Business. Thinking Differently about Security!
It’s Monday morning and I have already been up for a while. I have had a few cups of tea. I have answered a few emails. I have written and submitted a proposal for a new piece of work. It’s a great client too. When I submitted the proposal I had a sense of relief that it was out the door. The thing is I don’t like sales, pre-sales, or business development work. This kind of work is immensely valuable but to paraphrase Barack Obama, It’s not what I do! I’m a CISO, not a Salesperson. Sure, I can sell a concept. I can persuade a senior leadership team to support an information security programme. I can influence activities in an organisation to improve security. But, selling products and services for cash money is not my strength. Once you become a Virtual CISO, however, you must be able to do both. In fact, you must be able to do a whole lot of other things too (HR, Procurement, Marketing et al). Whilst you are no doubt comfortable securing a business, as a Virtual CISO, you now find you need to be able to run a business too. This process of running a business however is illuminating in a way being an in-house CISO may not. I think running a business actually makes you a better CISO too. Here’s why…
Them and Us
CISOs can often feel they are outside the business looking in. Often perceived by the business as a “cost”.
Cybersecurity isn’t making our company any money, in fact, it’s holding us back from making more money.
Business leadership often see security as a blocker. Something to avoid. Something to circumvent. Some organisations only hire a CISO as either a tick box exercise or worse, hire a wholly unsuitable candidate simply to use as a scapegoat when things [inevitably] go wrong. We could spend hours discussing the perils of having such attitudes but ultimately, as CISOs, virtual or in-house, we need to change the narrative. We need to show the business we understand them and that our presence adds value – lots of value in fact! When you run a business, you either demonstrate value or your business dies. The same approach should be applied to the security function!
As a Virtual CISO provider, each task completed for a client is in the form of a deliverable. If we don’t deliver, we don’t get paid. Sometimes even when we do deliver we still don’t get paid but that’s a whole different article! For in-house CISOs things are not always so clear cut. How can you prove a negative i.e. nothing has happened [yet] so we must be secure? How can your senior leadership team know what your doing is a superhuman feat or just dumb luck?
One of the simplest ways to show value is to use the data you are collecting effectively. Take all those security tools. The senior management team are wondering why they are spending so much money when nothing ever happens. Show them what is actually happening. Show them their Return on Investment Show them how many phishing attempts have been blocked by using DNS-based web filtering over the previous proxy-based solution. Show how many pieces of malware have been blocked. How many attempts to breach your network have been stopped in their tracks by your firewalls. How your SOC identified a major security misconfiguration allowing it to be fixed before it could be exploited.
If you’re unsure about what and how you should present your data to your leadership team, look at what other departments are presenting. Where the Board are engaged with a particular project, analyse that interest. Why do they feel it is important? How can you as the CISO help make that initiative a success? Listen to the questions employees ask during town halls. Adapt communication to target demographics within your organisation so that the right messages get to the right people.
Security is NOT the top priority for your business!
As a company owner, I am more than comfortable telling anyone who reads this that security is not my main priority. Yet at security conferences, and in countless articles, CISOs are told Cybersecurity Must Be the Top Priority for the Board in 2021. No! No! No! We need to get out of this mindset! I can only assume such mantras are peddled by security vendors as a way to sell more of their products and services!
Rather than try and shoehorn security into the Board’s list of priorities, CISOs should understand their organisation’s actual priorities. Once these priorities are understood, CISOs should then communicate to their Boards how security adds value and supports each priority. Let’s say, for example, one of the Board’s strategic priorities is to lead on diversity, equity and inclusion. A CISO should understand this imperative and communicate to the Board how the security department is aligning it employment practices accordingly. If the Board wants to prioritise workplace transformation or developing new ways of working, security should be showing the Board how it can add value by keeping those new ways of working secure and operational.
Understand costs and opportunities
Fox Red Risk is five years old. As Managing Director, I chose to attain Cyberessentials in year four when it was needed for certain business opportunities. Before that, it wasn’t a priority. It wasn’t like I didn’t ensure we were secure before year four, but the certification process is a cost and if no-one is asking me for certification, why would I divert resource away from other projects?
The opportunity cost of attaining certification would have meant delaying the cost of purchasing a piece of software we now use fairly regularly to analyse the rules on client firewalls. Choosing to purchase that software first increased revenue and in part paid for the certification costs. Whilst a fairly simplistic example to illustrate the point, the business leaders in your organisation will be faced with these kinds of decisions every day in varying shapes and scale.
When asking for budget for your cybersecurity programme, it is critical CISOs consider the opportunity costs of their programme against other initiatives the organisation is exploring. Ask questions regularly. Am I getting value out of this Managed SOC Service? Am I fully utilising the security features baked into the organisation’s cloud platform subscription (especially as you’re already paying from them)? Could I hire an inexperienced junior analyst at a lower cost and invest in their development instead of paying for a unicorn? Do I need the bells and whistles tool or do I just need the basic offering? Can we make our processes more efficient through automation? Essentially, can we do more with less? Remember: optimal risk management is where risks are managed to within risk appetite at the lowest cost point. If you have the biggest budget in comparison to similar-sized peers you may be doing your organisation a disservice.
Think like you’re running the business
So, a few things to think about. Whether you’re a seasoned CISO or just starting out in security, temper your approach to consider yourself as the owner of the business. Even if you have never run your own company, try to understand the mindset of a person running a business. What would you do if it was your company? What would you do if you were spending your own money? Would you still approach security in the same way…or would you do things differently?
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning